How To Implementation External Authentication Programs
for mod_authnz_external or mod_auth_external
- Version 3.3.x
+ Version 3.2.6
LANGUAGES
-v3.3.0 (Jan Wolter - Oct 6, 2011)
-----------------------------------------------
- * Revised to work with Apache 2.3 / 2.4. Will not work with previous Apache
- versions.
- * Deleted 'GroupExternalAuthoritative' and 'AuthzExternalAuthoritative'
- directives which are obsolete.
- * Deleted 'GroupExternalError' directive which is superceded by Apache's
- 'AuthzSendForbiddenOnFailure' directive.
-
v3.2.6 (Jan Wolter - Oct 6, 2011)
-----------------------------------------------
* Modified parsing of "Require groups" line so that you can have group
How To Install mod_authnz_external.c
- Version 3.3.x
+ Version 3.2.6
NOTES:
in the INSTALL.HARDCODE file in this directory before following these
instructions.
- * These instructions are for Apache version 2.4. This version of
+ * These instructions are for Apache version 2.2. This version of
mod_authnz_external will not work with older versions of Apache.
- Other versions are available for different releases of Apache:
+ It will not work with Apache 2.4. Other versions are available for
+ different releases of Apache:
Apache 1.3 mod_auth_external-2.1.x
Apache 2.0 mod_auth_external-2.2.x
AuthBasicProvider external
AuthExternal <keyword>
GroupExternal <groupkeyword>
- Require external-group <groupname1> <groupname2> ...
+ Require group <groupname1> <groupname2> ...
Here <groupkeyword> matches a name you defined with with the
DefineExternalGroup or AddExternalGroup command in step 2.
owns the file being accessed, you can configure an external group
checker and then install mod_authz_owner and do:
- Require external-file-group
+ Require file-group
The GroupExternal cannot (yet?) be used with multiple external
authenticators.
* MODIFYING ERROR CODES FOR GROUP CHECKING:
- Normally, if a group authentication fails, then apache will return a
- 401 error, which will normally cause the browser to pop up a fresh
- login box so the user can try logging in with a different ID. This
- may not always be appropriate. If you rejected him because he has a
- blocked IP address, returning a 403 error, which displays an error
- page (which you can configure) may be a better choice than asking him
- to endlessly try new logins and passwords.
+ Normally, if a group authentication fails, then mod_authnz_external
+ will return a 401 error, which will normally cause the browser to
+ pop up a fresh login box so the user can try logging in with a different
+ ID. This may not always be appropriate. If you rejected him because he
+ has a blocked IP address, returning a 403 error, which displays an error
+ page (which you can configure) may be a better choice. To get a
+ 403 error instead of a 401 error on failed group access checks, you
+ would add the following command to your configuration:
- Previous versions of mod_authnz_external had a 'GroupExternalError'
- directive that allowed you to change this. This no longer exists
- Under Apache 2.4 you can control the return code using the
- 'AuthzSendForbiddenOnFailure' directive.
+ GroupExternalError 403
+
+ This would effect only group checks, never password checks. Bad
+ passwords always result in a 401 error.
* INTERACTIONS WITH OTHER AUTHENTICATORS:
- Previous versions of mod_authnz_external had 'GroupExternalAuthoritative'
- directive. In Apache 2.4, the notion of authoritativeness is
- thankfully almost entirely gone, so this directive is too.
-
+ It is possible to configure more than one different authentication
+ module. If you do so, you will normally want to make them
+ unauthoritative, so that if one fails, the others will be tried.
+ That way, authentication or access will be granted if ANY of the
+ the configured modules finds it valid.
+
+ If all your password checkers are "authn" modules running under
+ mod_auth_basic, then you need do nothing. The arbitration among
+ such modules is different than the arbitration between top level
+ modules, and does the right thing by default. But if some are not
+ "authn" modules, then you'll want to make mod_auth basic
+ unauthoritative with the "AuthBasicAuthoritative off" directive
+ described in the Apache manual.
+
+ If you have multiple group checkers, then you will need to make
+ mod_authnz_external un-authoritative for group checking. To do
+ this, use the directive:
+
+ GroupExternalAuthoritative off
+
+ Of course, you'll probably also have to make the other module
+ unauthoritative. For example, if you have a "Require user pete"
+ directive and a "Require group admin" directive and expect it to
+ allow either pete or any admin to login, then you need to make
+ mod_authz_user unauthoritative, because that's what checks
+ "Require user" directives.
+
+ See the Apache manual pages on AuthType, AuthName, AuthBasicProvider,
+ Require, and AuthGroupFile for more information.
+
* OLD DIRECTIVES
Some of the directives mentioned above used to have different names.
- One old name still works for backward compatibility.
+ The old names still work for backward compatibility.
+ AuthzExternalAuthoritative equals GroupExternalAuthoritative
AuthExternalGroupsAtOnce equals GroupExternalManyAtOnce
(4) Install the Authenticator
build: mod_authnz_external.la
-mod_authnz_external.la: mod_authnz_external.c
+mod_authnz_external.la:
$(APXS) -c mod_authnz_external.c
clean:
- Mod_Authnz_External version 3.3.x
+ Mod_Authnz_External version 3.2.6
Original Coder: Nathan Neulinger <nneul@umr.edu>
Previous Maintainer: Tyler Allison <allison@nas.nasa.gov>
Versions:
---------
-Mod_authnz_external version 3.3.x is designed for use with Apache version
-2.4.x. It will not work with Apache 2.2 or 2.0. For older versions of
-Apache you will need older branches of mod_authnz_external:
-
- Apache 1.3 mod_auth_external-2.1.x
- Apache 2.0 mod_auth_external-2.2.x
- Apache 2.2 mod_authnz_external-3.1.x or mod_authnz_external-3.2.x
- Apache 2.4 mod_authnz_external-3.3.x
+Mod_authnz_external version 3.2.x is designed for use with Apache version
+2.2.x. It will not work with Apache 2.0 or Apache 2.4. For Apache 2.4,
+you need mod_authnz_external 3.3.x. If you have an older version of Apache,
+use instead either mod_auth_external-2.1.x for Apache 1.3, or
+mod_auth_external-2.2.x for Apache 2.2.
This module was developed from "mod_auth_external". It has been restructured
to fit into the authn/authz structure introduce in Apache 2.1. It can be used
AuthExternalAuthoritative off
- This command will no longer work. If upgrading to Apache 2.2, you
- should use one or both of the following commands:
+ This command will no longer work. Instead you should use one or both
+ of the following commands:
AuthBasicAuthoritative off
GroupExternalAuthoritative off
group checker was given a chance to decide if the user was in that group
based on it's group database.
- In Apache 2.4, all of this is handled quite differently. I need to
- document this.
-
(6) If you were using multiple Require directives, the behavior may change
under Apache 2.2. Suppose you wanted to allow access to user "pete" and
members of the group "admins". You might have do:
GroupUserAuthoritative off
- Again, in Apache 2.4, all of this is handled quite differently, and this
- document needs updating.
-
(7) Note that a new type of functionality is available under Apache 2.2 with
mod_authnz_external. Thanks to mod_authz_owner, you can now do:
being used for http authentication, but for people using 'pwauth'
with mod_authnz_external, these really check if the user has been
authenticated as the unix user who owns the file.
-
- In Apache 2.4, this is the same, except the latter of the two becomes:
-
- Require external-file-group
apr_array_header_t *auth_name; /* Auth keyword for current dir */
char *group_name; /* Group keyword for current dir */
char *context; /* Context string from AuthExternalContext */
+ int authoritative; /* Are we authoritative in current dir? */
int groupsatonce; /* Check all groups in one call in this dir? */
+ char *grouperror; /* What to return if group auth fails */
} authnz_external_dir_config_rec;
} authnz_external_svr_config_rec;
-/* A handle for retrieving the requested file's group from mod_authnz_owner */
-APR_DECLARE_OPTIONAL_FN(char*, authz_owner_get_file_group, (request_rec *r));
-
/*
* Creators for per-dir and server configurations. These are called
* via the hooks in the module declaration to allocate and initialize
dir->auth_name= apr_array_make(p,2,sizeof(const char *)); /* no default */
dir->group_name= NULL; /* no default */
dir->context= NULL; /* no default */
+ dir->authoritative= 1; /* strong by default */
dir->groupsatonce= 1; /* default to on */
+ dir->grouperror= NULL; /* default to 401 */
return dir;
}
RSRC_CONF,
"a keyword followed by the method by which the data is passed"),
+ AP_INIT_FLAG("GroupExternalAuthoritative",
+ ap_set_flag_slot,
+ (void *)APR_OFFSETOF(authnz_external_dir_config_rec, authoritative),
+ OR_AUTHCFG,
+ "Set to 'off' to allow access control to be passed along to lower "
+ "modules if this module can't confirm access rights" ),
+
+ AP_INIT_FLAG("AuthzExternalAuthoritative",
+ ap_set_flag_slot,
+ (void *)APR_OFFSETOF(authnz_external_dir_config_rec, authoritative),
+ OR_AUTHCFG,
+ "Old version of 'GroupExternalAuthoritative'" ),
+
AP_INIT_TAKE1("AuthExternalContext",
ap_set_string_slot,
(void *)APR_OFFSETOF(authnz_external_dir_config_rec, context),
"An arbitrary context string to pass to the authenticator in the "
ENV_CONTEXT " environment variable"),
+ AP_INIT_TAKE1("GroupExternalError",
+ ap_set_string_slot,
+ (void *)APR_OFFSETOF(authnz_external_dir_config_rec, grouperror),
+ OR_AUTHCFG,
+ "HTTP error code to return when group authentication fails"),
+
AP_INIT_FLAG("GroupExternalManyAtOnce",
ap_set_flag_slot,
(void *)APR_OFFSETOF(authnz_external_dir_config_rec, groupsatonce),
}
-static authz_status externalgroup_check_authorization(request_rec *r,
- const char *require_args, const void *parsed_require_args)
+static int authz_external_check_user_access(request_rec *r)
{
authnz_external_dir_config_rec *dir= (authnz_external_dir_config_rec *)
ap_get_module_config(r->per_dir_config, &authnz_external_module);
authnz_external_svr_config_rec *svr= (authnz_external_svr_config_rec *)
ap_get_module_config(r->server->module_config, &authnz_external_module);
- char *user= r->user;
- char *extname= dir->group_name;
+ int i, code, ret;
+ int m= r->method_number;
const char *extpath, *extmethod;
+ char *extname= dir->group_name;
+ int required_group= 0;
const char *t, *w;
- int code;
-
- /* If no authenticated user, pass */
- if ( !user ) return AUTHZ_DENIED_NO_USER;
+ const apr_array_header_t *reqs_arr= ap_requires(r);
+ const char *filegroup= NULL;
+ require_line *reqs;
/* If no external authenticator has been configured, pass */
- if ( !extname ) return AUTHZ_DENIED;
-
- /* Get the path and method associated with that external */
- if (!(extpath= apr_table_get(svr->group_path, extname)) ||
- !(extmethod= apr_table_get(svr->group_method,extname)))
- {
- errno= 0;
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "invalid GroupExternal keyword (%s)", extname);
- return AUTHZ_DENIED;
- }
+ if ( !extname ) return DECLINED;
- if (dir->groupsatonce)
- {
- /* Pass rest of require line to authenticator */
- code= exec_external(extpath, extmethod, r, ENV_GROUP, require_args);
- if (code == 0) return AUTHZ_GRANTED;
- }
- else
- {
- /* Call authenticator once for each group name on line */
- t= require_args;
- while ((w= ap_getword_conf(r->pool, &t)) && w[0])
- {
- code= exec_external(extpath, extmethod, r, ENV_GROUP, w);
- if (code == 0) return AUTHZ_GRANTED;
- }
- }
-
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "Authorization of user %s to access %s failed. "
- "User not in Required group.",
- r->user, r->uri);
-
- return AUTHZ_DENIED;
-}
+ /* If there are no Require arguments, pass */
+ if (!reqs_arr) return DECLINED;
+ reqs= (require_line *)reqs_arr->elts;
-APR_OPTIONAL_FN_TYPE(authz_owner_get_file_group) *authz_owner_get_file_group;
-static authz_status externalfilegroup_check_authorization(request_rec *r,
- const char *require_args, const void *parsed_require_args)
-{
- authnz_external_dir_config_rec *dir= (authnz_external_dir_config_rec *)
- ap_get_module_config(r->per_dir_config, &authnz_external_module);
-
- authnz_external_svr_config_rec *svr= (authnz_external_svr_config_rec *)
- ap_get_module_config(r->server->module_config, &authnz_external_module);
-
- char *user= r->user;
- char *extname= dir->group_name;
- const char *extpath, *extmethod;
- const char *filegroup= NULL;
- const char *t, *w;
- int code;
+ /* Loop through the "Require" argument list */
+ for(i= 0; i < reqs_arr->nelts; i++)
+ {
+ if (!(reqs[i].method_mask & (AP_METHOD_BIT << m))) continue;
- /* If no authenticated user, pass */
- if ( !user ) return AUTHZ_DENIED_NO_USER;
+ t= reqs[i].requirement;
+ w= ap_getword_white(r->pool, &t);
- /* If no external authenticator has been configured, pass */
- if ( !extname ) return AUTHZ_DENIED;
+ /* The 'file-group' directive causes mod_authz_owner to store the
+ * group name of the file we are trying to access in a note attached
+ * to the request. It's our job to decide if the user actually is
+ * in that group. If the note is missing, we just decline.
+ */
+ if ( !strcasecmp(w, "file-group"))
+ {
+ filegroup= apr_table_get(r->notes, AUTHZ_GROUP_NOTE);
+ if (filegroup == NULL) continue;
+ }
- /* Get the path and method associated with that external */
- if (!(extpath= apr_table_get(svr->group_path, extname)) ||
- !(extmethod= apr_table_get(svr->group_method,extname)))
- {
- errno= 0;
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "invalid GroupExternal keyword (%s)", extname);
- return AUTHZ_DENIED;
+ if( !strcmp(w,"group") || filegroup != NULL)
+ {
+ required_group= 1;
+
+ if (t[0] || filegroup != NULL)
+ {
+ /* Get the path and method associated with that external */
+ if (!(extpath= apr_table_get(svr->group_path, extname)) ||
+ !(extmethod= apr_table_get(svr->group_method,
+ extname)))
+ {
+ errno= 0;
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "invalid GroupExternal keyword (%s)", extname);
+ ap_note_basic_auth_failure(r);
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+
+ if (filegroup != NULL)
+ {
+ /* Check if user is in the group that owns the file */
+ code= exec_external(extpath, extmethod, r, ENV_GROUP,
+ filegroup);
+ if (code == 0) return OK;
+ }
+ else if (dir->groupsatonce)
+ {
+ /* Pass rest of require line to authenticator */
+ code= exec_external(extpath, extmethod, r, ENV_GROUP, t);
+ if (code == 0) return OK;
+ }
+ else
+ {
+ /* Call authenticator once for each group name on line */
+ do {
+ w= ap_getword_conf(r->pool, &t);
+ code= exec_external(extpath,
+ extmethod, r, ENV_GROUP, w);
+ if (code == 0) return OK;
+ } while(t[0]);
+ }
+ }
+ }
}
- /* Get group name for requested file from mod_authz_owner */
- filegroup= authz_owner_get_file_group(r);
-
- if (!filegroup)
- /* No errog log entry, because mod_authz_owner already made one */
- return AUTHZ_DENIED;
-
- /* Pass the group to the external authenticator */
- code= exec_external(extpath, extmethod, r, ENV_GROUP, filegroup);
- if (code == 0) return AUTHZ_GRANTED;
+ /* If we didn't see a 'require group' or aren't authoritive, decline */
+ if (!required_group || !dir->authoritative)
+ return DECLINED;
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "Authorization of user %s to access %s failed. "
- "User not in Required file group (%s).",
- r->user, r->uri, filegroup);
+ "access to %s failed, reason: user %s not allowed access (%s)",
+ r->uri, r->user, dir->grouperror);
- return AUTHZ_DENIED;
+ ap_note_basic_auth_failure(r);
+
+ return (dir->grouperror && (ret= atoi(dir->grouperror)) > 0) ? ret :
+ HTTP_UNAUTHORIZED;
}
#endif
};
-static const authz_provider authz_externalgroup_provider =
-{
- &externalgroup_check_authorization,
- NULL,
-};
-
-static const authz_provider authz_externalfilegroup_provider =
-{
- &externalfilegroup_check_authorization,
- NULL,
-};
static void register_hooks(apr_pool_t *p)
{
- /* Get a handle on mod_authz_owner */
- authz_owner_get_file_group = APR_RETRIEVE_OPTIONAL_FN(authz_owner_get_file_group);
-
- /* Register authn provider */
- ap_register_auth_provider(p, AUTHN_PROVIDER_GROUP, "external",
- AUTHN_PROVIDER_VERSION,
- &authn_external_provider, AP_AUTH_INTERNAL_PER_CONF);
-
- /* Register authz providers */
- ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "external-group",
- AUTHZ_PROVIDER_VERSION,
- &authz_externalgroup_provider, AP_AUTH_INTERNAL_PER_CONF);
-
- ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "external-file-group",
- AUTHZ_PROVIDER_VERSION,
- &authz_externalfilegroup_provider, AP_AUTH_INTERNAL_PER_CONF);
+ ap_register_provider(p, AUTHN_PROVIDER_GROUP, "external", "0",
+ &authn_external_provider);
+
+ ap_hook_auth_checker(authz_external_check_user_access, NULL, NULL,
+ APR_HOOK_MIDDLE);
}
-AP_DECLARE_MODULE(authnz_external) = {
+module AP_MODULE_DECLARE_DATA authnz_external_module = {
STANDARD20_MODULE_STUFF,
create_authnz_external_dir_config, /* create per-dir config */
NULL, /* merge per-dir config - dflt is override */
+++ /dev/null
-v1.0.3 (Jan Wolter - )
-------------------------------------
- * Allow group names to be quoted, so that you can have group names with
- spaces in them. This change was suggested by David Homborg. Not yet
- tested.
-
-v1.0.2 (Jan Wolter - May 21, 2009)
-------------------------------------
- * Adding copyright and Apache Version 2.0 license in LICENSE and NOTICE
- files.
- * New directive: AuthzUnixgroupError, can be used to specify the HTTP
- error number to be returned on failure.
-
-v1.0.1 (Jan Wolter - Aug 6, 2008)
-------------------------------------
- * Delete various logging statements that were really just there for
- debugging and should have been removed sooner.
-
- * If there is an '@' in the user's login name, strip off that and anything
- after it. An '@' sign is never legal in an unix login name, and some
- authentication modules, like mod_auth_kerb, append an "@domain" to the
- user's login name.
-
- Both of the above modifications are inspired by patches made by Ken Lalonde
- <ken at globalremit dot com>.
-
- * Included "http_request.h" header file to surpress a harmless compile-time
- warning.
-
-v1.0.0 (Jan Wolter - Feb 19, 2006)
-------------------------------------
- * Original release
+++ /dev/null
-How to install mod_authz_unixgroup.c into Apache:
-
-NOTES:
-
- * There are two ways of installing mod_authz_unixgroup.
-
- (1) You can statically link it with Apache. This requires rebuilding
- Apache in such a way that mod_authz_unixgroup will be compiled in.
-
- (2) You can make mod_authz_unixgroup a dynamically loaded module. If
- your Apache has been built to support dynamically loaded modules
- you can do this without rebuilding Apache, so it is pretty easy.
- Performance may be slightly worse with this option. For information
- on dynamically loaded modules see http://www.apache.org/docs/dso.html
-
- Instructions for both options are given here.
-
- * There is also documentation in the README file. If you find this document
- unclear, reading that may help.
-
-
-INSTALL METHOD A: Dynamically Linking Mod_authz_unixgroup using apxs:
----------------------------------------------------------------------
-
-Step 1:
- Ensure that your Apache server is configured to handle dynamically
- loaded modules. To check this, run Apache server with the -l command
- flag, like
-
- httpd -l
-
- If mod_so.c is one of the compiled-in modules, then you are ready
- to go.
-
-Step 2:
- Compile the module using the following command in the
- mod_authz_unixgroup distribution directory:
-
- apxs -c mod_authz_unixgroup.c
-
- 'Apxs' is the Apache extension tool. It is part of the standard
- Apache installation. If you don't have it, then your Apache server
- is probably not set up for handling dynamically loaded modules.
- This should create a file named 'mod_authz_unixgroup.so'.
-
-Step 3:
- Install the module. Apxs can do this for you too. Do the following
- command (as root so you can write to Apache's directories and config
- files):
-
- apxs -i -a mod_authz_unixgroup.la
-
- This will create mod_authz_unixgroup.so and copy it into the proper
- place, and add appropriate AddModule and LoadModule commands to the
- configuration files. (Actually, it may get the LoadModule command
- wrong. See below.)
-
-Step 4:
- Go to the CONFIGURATION instructions below.
-
-
-INSTALL METHOD B: Statically Linking
-------------------------------------
-
-Step 1:
- Read the instructions on how to configure the Apache server in the
- INSTALL file provided with the Apache source.
-
-Step 2:
- When you run the ./configure script, include an --with-module flag,
- giving the full pathname to the mod_authz_unixgroup.c file in this
- distribution. For example, if you have unpacked this distribution
- in /usr/local/src/mod_authz_unixgroup and are building Apache for
- installation in /usr/local/apache, you might do:
-
- ./configure --prefix=/usr/local/apache \
- --with-module=aaa:/usr/local/src/mod_authz_unixgroup/mod_authz_unixgroup.c
-
- This will copy the mod_authz_unixgroup.c file into the correct place in
- the Apache source tree and set things up to link it in.
-
-Step 3:
- Type "make" to compile Apache and "make install" to install it.
-
-Step 4:
- Go to the CONFIGURATION instructions below.
-
-
-CONFIGURATION:
---------------
-
-Mod_authz_unixgroup is pretty simple to use. First, you need to enable it
-for whatever directory you want to use it in, by inserting the following
-directive either in a .htaccess file in the directory or a <Directory> block
-in the httpd.conf file:
-
- AuthzUnixgroup on
-
-Second, you will need a require directive like
-
- Require group admin
-or
- Require group students teachers staff
-
-Obviously this only makes sense in a directory where you are doing
-authentication. This could be any kind of authentication, but it makes
-most sense if you are using it in combination with authentication out of
-the unix password file, perhaps using mod_auth_external together with
-pwauth, or mod_auth_shadow. The "Require group" directive will then
-cause mod_authz_unixgroup to check if the user is in one of the groups
-listed, and reject the authentication if they are not. A user is considered
-to be in a group if either (1) the group is the user's primary group
-identified by it's gid number in /etc/passwd, or (2) the group is listed
-in /etc/group and the user id is listed as a member of that group.
-
-If you are authenticating out of something other than the unix password
-database, then this can be used, but the effect is a bit odd. To pass
-the "Require group" test, there must (1) exist a unix account with the same
-name as the account the user authenticated in, and (2) that unix account must
-be in one of the unix groups listed on the Require line.
-
-It is also possible to list groups by gid number instead of name, like
-
- Require group 10
-
-would be equivalent to "Require group admin" if the gid listed for the group
-admin in /etc/group is 10.
-
-If mod_authz_owner is enabled in your httpd, then that will work with
-mod_authz_unixgroup to check access based on file groups. For example if
-we do:
-
- AuthzUnixgroup on
- Require file-group
-
-Then a user will be able to access a file if and only if that file is owned
-by a group of which the user is a member.
-
-Normally, when an access check fails, mod_authz_unixgroup will return a
-HTTP 401 error. This will typically cause the browser to pop up a message
-saying "Authentication Failed" and then the browser will ask for a new login
-name. In some cases this is not the desired behavior. If you are using the
-"Require file-group" directive, you may not want to log the user off every time
-he hits a file he doesn't have access to. Maybe you'd rather just show a
-"Permission denied message" and not log him off. You could do that by
-directing mod_authz_unixgroup to return a 403 error instead of a 401 error.
-You can do this with the following directive:
-
- AuthnzUnixgroupError 403
-
-By default, mod_authz_unixgroup is authoritative. If you want to use more
-than one group checker, like mod_authz_unixgroup together with
-mod_authz_groupfile or mod_authz_dbm, then you'll want to make them non-
-authoritative, so that if one fails, the other will be tried. You can
-make mod_authz_unixgroup non-authoritative by saying:
-
- AuthzUnixgroupAuthoritative off
+++ /dev/null
-
- Apache License
- Version 2.0, January 2004
- http://www.apache.org/licenses/
-
- TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
- 1. Definitions.
-
- "License" shall mean the terms and conditions for use, reproduction,
- and distribution as defined by Sections 1 through 9 of this document.
-
- "Licensor" shall mean the copyright owner or entity authorized by
- the copyright owner that is granting the License.
-
- "Legal Entity" shall mean the union of the acting entity and all
- other entities that control, are controlled by, or are under common
- control with that entity. For the purposes of this definition,
- "control" means (i) the power, direct or indirect, to cause the
- direction or management of such entity, whether by contract or
- otherwise, or (ii) ownership of fifty percent (50%) or more of the
- outstanding shares, or (iii) beneficial ownership of such entity.
-
- "You" (or "Your") shall mean an individual or Legal Entity
- exercising permissions granted by this License.
-
- "Source" form shall mean the preferred form for making modifications,
- including but not limited to software source code, documentation
- source, and configuration files.
-
- "Object" form shall mean any form resulting from mechanical
- transformation or translation of a Source form, including but
- not limited to compiled object code, generated documentation,
- and conversions to other media types.
-
- "Work" shall mean the work of authorship, whether in Source or
- Object form, made available under the License, as indicated by a
- copyright notice that is included in or attached to the work
- (an example is provided in the Appendix below).
-
- "Derivative Works" shall mean any work, whether in Source or Object
- form, that is based on (or derived from) the Work and for which the
- editorial revisions, annotations, elaborations, or other modifications
- represent, as a whole, an original work of authorship. For the purposes
- of this License, Derivative Works shall not include works that remain
- separable from, or merely link (or bind by name) to the interfaces of,
- the Work and Derivative Works thereof.
-
- "Contribution" shall mean any work of authorship, including
- the original version of the Work and any modifications or additions
- to that Work or Derivative Works thereof, that is intentionally
- submitted to Licensor for inclusion in the Work by the copyright owner
- or by an individual or Legal Entity authorized to submit on behalf of
- the copyright owner. For the purposes of this definition, "submitted"
- means any form of electronic, verbal, or written communication sent
- to the Licensor or its representatives, including but not limited to
- communication on electronic mailing lists, source code control systems,
- and issue tracking systems that are managed by, or on behalf of, the
- Licensor for the purpose of discussing and improving the Work, but
- excluding communication that is conspicuously marked or otherwise
- designated in writing by the copyright owner as "Not a Contribution."
-
- "Contributor" shall mean Licensor and any individual or Legal Entity
- on behalf of whom a Contribution has been received by Licensor and
- subsequently incorporated within the Work.
-
- 2. Grant of Copyright License. Subject to the terms and conditions of
- this License, each Contributor hereby grants to You a perpetual,
- worldwide, non-exclusive, no-charge, royalty-free, irrevocable
- copyright license to reproduce, prepare Derivative Works of,
- publicly display, publicly perform, sublicense, and distribute the
- Work and such Derivative Works in Source or Object form.
-
- 3. Grant of Patent License. Subject to the terms and conditions of
- this License, each Contributor hereby grants to You a perpetual,
- worldwide, non-exclusive, no-charge, royalty-free, irrevocable
- (except as stated in this section) patent license to make, have made,
- use, offer to sell, sell, import, and otherwise transfer the Work,
- where such license applies only to those patent claims licensable
- by such Contributor that are necessarily infringed by their
- Contribution(s) alone or by combination of their Contribution(s)
- with the Work to which such Contribution(s) was submitted. If You
- institute patent litigation against any entity (including a
- cross-claim or counterclaim in a lawsuit) alleging that the Work
- or a Contribution incorporated within the Work constitutes direct
- or contributory patent infringement, then any patent licenses
- granted to You under this License for that Work shall terminate
- as of the date such litigation is filed.
-
- 4. Redistribution. You may reproduce and distribute copies of the
- Work or Derivative Works thereof in any medium, with or without
- modifications, and in Source or Object form, provided that You
- meet the following conditions:
-
- (a) You must give any other recipients of the Work or
- Derivative Works a copy of this License; and
-
- (b) You must cause any modified files to carry prominent notices
- stating that You changed the files; and
-
- (c) You must retain, in the Source form of any Derivative Works
- that You distribute, all copyright, patent, trademark, and
- attribution notices from the Source form of the Work,
- excluding those notices that do not pertain to any part of
- the Derivative Works; and
-
- (d) If the Work includes a "NOTICE" text file as part of its
- distribution, then any Derivative Works that You distribute must
- include a readable copy of the attribution notices contained
- within such NOTICE file, excluding those notices that do not
- pertain to any part of the Derivative Works, in at least one
- of the following places: within a NOTICE text file distributed
- as part of the Derivative Works; within the Source form or
- documentation, if provided along with the Derivative Works; or,
- within a display generated by the Derivative Works, if and
- wherever such third-party notices normally appear. The contents
- of the NOTICE file are for informational purposes only and
- do not modify the License. You may add Your own attribution
- notices within Derivative Works that You distribute, alongside
- or as an addendum to the NOTICE text from the Work, provided
- that such additional attribution notices cannot be construed
- as modifying the License.
-
- You may add Your own copyright statement to Your modifications and
- may provide additional or different license terms and conditions
- for use, reproduction, or distribution of Your modifications, or
- for any such Derivative Works as a whole, provided Your use,
- reproduction, and distribution of the Work otherwise complies with
- the conditions stated in this License.
-
- 5. Submission of Contributions. Unless You explicitly state otherwise,
- any Contribution intentionally submitted for inclusion in the Work
- by You to the Licensor shall be under the terms and conditions of
- this License, without any additional terms or conditions.
- Notwithstanding the above, nothing herein shall supersede or modify
- the terms of any separate license agreement you may have executed
- with Licensor regarding such Contributions.
-
- 6. Trademarks. This License does not grant permission to use the trade
- names, trademarks, service marks, or product names of the Licensor,
- except as required for reasonable and customary use in describing the
- origin of the Work and reproducing the content of the NOTICE file.
-
- 7. Disclaimer of Warranty. Unless required by applicable law or
- agreed to in writing, Licensor provides the Work (and each
- Contributor provides its Contributions) on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
- implied, including, without limitation, any warranties or conditions
- of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
- PARTICULAR PURPOSE. You are solely responsible for determining the
- appropriateness of using or redistributing the Work and assume any
- risks associated with Your exercise of permissions under this License.
-
- 8. Limitation of Liability. In no event and under no legal theory,
- whether in tort (including negligence), contract, or otherwise,
- unless required by applicable law (such as deliberate and grossly
- negligent acts) or agreed to in writing, shall any Contributor be
- liable to You for damages, including any direct, indirect, special,
- incidental, or consequential damages of any character arising as a
- result of this License or out of the use or inability to use the
- Work (including but not limited to damages for loss of goodwill,
- work stoppage, computer failure or malfunction, or any and all
- other commercial damages or losses), even if such Contributor
- has been advised of the possibility of such damages.
-
- 9. Accepting Warranty or Additional Liability. While redistributing
- the Work or Derivative Works thereof, You may choose to offer,
- and charge a fee for, acceptance of support, warranty, indemnity,
- or other liability obligations and/or rights consistent with this
- License. However, in accepting such obligations, You may act only
- on Your own behalf and on Your sole responsibility, not on behalf
- of any other Contributor, and only if You agree to indemnify,
- defend, and hold each Contributor harmless for any liability
- incurred by, or claims asserted against, such Contributor by reason
- of your accepting any such warranty or additional liability.
-
- END OF TERMS AND CONDITIONS
-
- APPENDIX: How to apply the Apache License to your work.
-
- To apply the Apache License to your work, attach the following
- boilerplate notice, with the fields enclosed by brackets "[]"
- replaced with your own identifying information. (Don't include
- the brackets!) The text should be enclosed in the appropriate
- comment syntax for the file format. We also recommend that a
- file or class name and description of purpose be included on the
- same "printed page" as the copyright notice for easier
- identification within third-party archives.
-
- Copyright [yyyy] [name of copyright owner]
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
+++ /dev/null
-Mod_authz_unixgroup
-
- Copyright 2008 Jan Wolter
-
- This product includes software developed by Jan Wolter.
-
- This product includes software developed at
- The Apache Software Foundation (http://www.apache.org/).
+++ /dev/null
- Mod_Authz_Unixgroup version 1.0.2
-
- Author: Jan Wolter
- Website: http://www.unixpapa.com/mod_authz_unixgroup/
- Requires: Apache 2.1 or later on a Unix server
-
-Mod_Authz_Unixgroup is a unix group access control modules for Apache 2.1 and
-later. If you are having users authenticate with real Unix login ID over the
-net, using something like my mod_authnz_external/pwauth combination, and you
-want to do access control based on unix group membership, then
-mod_authz_unixgroup is exactly what you need.
-
-Let's say that you were using this with mod_authnz_external and pwauth. Your
-.htaccess file for a protected directory would probably start with the
-following directives:
-
- AuthType Basic
- AuthName mysite
- AuthBasicProvider external
- AuthExternal pwauth
-
-That would cause mod_auth_basic and mod_authnz_external to do authentication
-based on the Unix passwd database. Mod_Authz_Unixgroup would come into play
-if you wanted to further restrict access to specific Unix groups. You might
-append the following directives:
-
- AuthzUnixgroup on
- Require group staff admin
-
-This would allow only access to accounts in the 'staff' or 'admin' unix groups.
-You can alternately specify groups by their gid numbers instead of their names.
-
-Or you could use mod_authz_unixgroup together with the standard apache module
-mod_authz_owner to do something like:
-
- Require file-group
-
-This would allow access to the page, only the user was a member of the unix
-group that owns the file.
-
-Though it makes the most sense to use this with unix passwd authentication,
-it can be used with other databases. In that case it would grant access if,
-(1) the name the user authenticated with exactly matched the name of a real
-unix account on the server, and (2) that real unix account was in one of the
-required groups. However, I think this would be a pretty senseless way to
-use this module. I expect that it will really only be used by user of
-mod_authnz_external/pwauth.
-
-Some authentication modules, like mod_auth_kerb, use usernames that have
-domains appended to them, like "whomever@krb.ncsu.edu". In such cases,
-mod_authz_unixgroup will take the part before the @-sign as the username
-and ignore the rest.
-
-Mod_authnz_external is available from:
- http://www.unixpapa.com/mod_auth_external/
-
-Pwauth is available from:
- http://www.unixpapa.com/pwauth/
-
-It might also be possible to use this with mod_auth_shadow, expecially if a
-authn/authz version of that is ever released.
+++ /dev/null
-/* Copyright 2008 Jan Wolter - See LICENSE and NOTICE */
-
-#include "apr_lib.h"
-
-#include "ap_config.h"
-#include "ap_provider.h"
-#include "mod_auth.h"
-
-#define APR_WANT_STRFUNC
-#include "apr_want.h"
-#include "apr_strings.h"
-
-#include "httpd.h"
-#include "http_config.h"
-#include "http_core.h"
-#include "http_log.h"
-#include "http_protocol.h"
-#include "http_request.h" /* for ap_hook_(check_user_id | auth_checker)*/
-#if HAVE_PWD_H
-#include <pwd.h>
-#endif
-#if HAVE_GRP_H
-#include <grp.h>
-#endif
-#if APR_HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-
-/*
- * Structure for the module itself. The actual definition of this structure
- * is at the end of the file.
- */
-module AP_MODULE_DECLARE_DATA authz_unixgroup_module;
-
-/*
- * Data type for per-directory configuration
- */
-
-typedef struct
-{
- int enabled;
- int authoritative;
- char *errcode;
-
-} authz_unixgroup_dir_config_rec;
-
-
-/*
- * Creator for per-dir configurations. This is called via the hook in the
- * module declaration to allocate and initialize the per-directory
- * configuration data structures declared above.
- */
-
-static void *create_authz_unixgroup_dir_config(apr_pool_t *p, char *d)
-{
- authz_unixgroup_dir_config_rec *dir= (authz_unixgroup_dir_config_rec *)
- apr_palloc(p, sizeof(authz_unixgroup_dir_config_rec));
-
- dir->enabled= 0;
- dir->authoritative= 1; /* strong by default */
- dir->errcode= NULL; /* default to 401 */
-
- return dir;
-}
-
-
-/*
- * Config file commands that this module can handle
- */
-
-static const command_rec authz_unixgroup_cmds[] =
-{
- AP_INIT_FLAG("AuthzUnixgroup",
- ap_set_flag_slot,
- (void *)APR_OFFSETOF(authz_unixgroup_dir_config_rec, enabled),
- OR_AUTHCFG,
- "Set to 'on' to enable unix group checking"),
-
- AP_INIT_FLAG("AuthzUnixgroupAuthoritative",
- ap_set_flag_slot,
- (void *)APR_OFFSETOF(authz_unixgroup_dir_config_rec, authoritative),
- OR_AUTHCFG,
- "Set to 'off' to allow access control to be passed along to lower "
- "modules if this module can't confirm access rights" ),
-
- AP_INIT_TAKE1("AuthzUnixgroupError",
- ap_set_string_slot,
- (void *)APR_OFFSETOF(authz_unixgroup_dir_config_rec, errcode),
- OR_AUTHCFG,
- "HTTP error code to return when user is not in group" ),
-
- { NULL }
-};
-
-
-/* Check if the named user is in the given list of groups. The list of
- * groups is a string with groups separated by white space. Group ids
- * can either be unix group names or numeric group id numbers. There must
- * be a unix login corresponding to the named user.
- */
-
-static int check_unix_group(request_rec *r, const char *grouplist)
-{
- char **p;
- struct group *grp;
- char *user= r->user;
- char *w, *at;
-
- /* Strip @ sign and anything following it from the username. Some
- * authentication modules, like mod_auth_kerb like appending such
- * stuff to user names, but an @ sign is never legal in a unix login
- * name, so it should be safe to always discard such stuff.
- */
- if ((at= strchr(user, '@')) != NULL) *at= '\0';
-
- /* Get info about login */
- struct passwd *pwd= getpwnam(user);
- if (pwd == NULL)
- {
- /* No such user - forget it */
- if (at != NULL) *at= '@';
- return 0;
- }
-
- /* Loop through list of groups passed in */
- while (*grouplist != '\0')
- {
- w= ap_getword_conf(r->pool, &grouplist);
- if (apr_isdigit(w[0]))
- {
- /* Numeric group id */
- int gid= atoi(w);
-
- /* Check if it matches the user's primary group */
- if (gid == pwd->pw_gid)
- {
- if (at != NULL) *at= '@';
- return 1;
- }
-
- /* Get list of group members for numeric group id */
- grp= getgrgid(gid);
- }
- else
- {
- /* Get gid and list of group members for group name */
- grp= getgrnam(w);
- /* Check if gid of this group matches user's primary gid */
- if (grp != NULL && grp->gr_gid == pwd->pw_gid)
- {
- if (at != NULL) *at= '@';
- return 1;
- }
- }
-
- /* Walk through list of members, seeing if any match user login */
- if (grp != NULL)
- for (p= grp->gr_mem; *p != NULL; p++)
- {
- if (!strcmp(user, *p))
- {
- if (at != NULL) *at= '@';
- return 1;
- }
- }
- }
-
- /* Didn't find any matches, flunk him */
- if (at != NULL) *at= '@';
- return 0;
-}
-
-
-static int authz_unixgroup_check_user_access(request_rec *r)
-{
- authz_unixgroup_dir_config_rec *dir= (authz_unixgroup_dir_config_rec *)
- ap_get_module_config(r->per_dir_config, &authz_unixgroup_module);
-
- int m= r->method_number;
- int i,ret;
- const char *t, *w;
- const apr_array_header_t *reqs_arr= ap_requires(r);
- const char *filegroup= NULL;
- int required_group= 0;
- require_line *reqs;
-
- /* If not enabled, pass */
- if ( !dir->enabled ) return DECLINED;
-
- /* If there are no Require arguments, pass */
- if (!reqs_arr) return DECLINED;
- reqs= (require_line *)reqs_arr->elts;
-
- /* Loop through the "Require" argument list */
- for(i= 0; i < reqs_arr->nelts; i++)
- {
- if (!(reqs[i].method_mask & (AP_METHOD_BIT << m))) continue;
-
- t= reqs[i].requirement;
- w= ap_getword_white(r->pool, &t);
-
- /* The 'file-group' directive causes mod_authz_owner to store the
- * group name of the file we are trying to access in a note attached
- * to the request. It's our job to decide if the user actually is
- * in that group. If the note is missing, we just ignore it.
- * Probably mod_authz_owner is not installed.
- */
- if ( !strcasecmp(w, "file-group"))
- {
- filegroup= apr_table_get(r->notes, AUTHZ_GROUP_NOTE);
- if (filegroup == NULL) continue;
- }
-
- if ( !strcmp(w,"group") || filegroup != NULL)
- {
- required_group= 1;
-
- if (filegroup)
- {
- /* Check if user is in the group that owns the file */
- if (check_unix_group(r,filegroup))
- return OK;
- }
- else if (t[0])
- {
- /* Pass rest of require line to authenticator */
- if (check_unix_group(r,t))
- return OK;
- }
- }
- }
-
- /* If we didn't see a 'require group' or aren't authoritive, decline */
- if (!required_group || !dir->authoritative)
- return DECLINED;
-
- /* Authentication failed and we are authoritive, declare unauthorized */
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "access to %s failed, reason: user %s not allowed access (%s)",
- r->uri, r->user, dir->errcode);
-
- ap_note_basic_auth_failure(r);
-
- return (dir->errcode && (ret= atoi(dir->errcode)) > 0) ? ret :
- HTTP_UNAUTHORIZED;
-}
-
-static void authz_unixgroup_register_hooks(apr_pool_t *p)
-{
- ap_hook_auth_checker(authz_unixgroup_check_user_access, NULL, NULL,
- APR_HOOK_MIDDLE);
-}
-
-
-module AP_MODULE_DECLARE_DATA authz_unixgroup_module = {
- STANDARD20_MODULE_STUFF,
- create_authz_unixgroup_dir_config, /* create per-dir config */
- NULL, /* merge per-dir config */
- NULL, /* create per-server config */
- NULL, /* merge per-server config */
- authz_unixgroup_cmds, /* command apr_table_t */
- authz_unixgroup_register_hooks /* register hooks */
-};
projects / apache-authnz-external / commitdiff